Information Technology

CLOUD COMPUTING

Cloud computing is a model that enables universal and on demand access to a shared set of computer resources (for example, servers, data storage, networks and applications), made available to minimize management efforts and interaction with the service provider. In addition, the model stands out due to its essential characteristics of self-provisioning, high availability, ample access via internet, quick elasticity and services measured by usage.

The technology can be used in different ways, depending on the use and business needs. Considering the implementation forms, there are basically four cloud categories: public, private, community, and hybrid. The most well known and popular cloud services are available in public clouds, such as electronic mail and file storage.

According to services architecture, there are three categories: software as a service – SaaS, platform as a service – PaaS, and infrastructure as a service – IaaS. In the SaaS category, applications such as office productivity tools and integrated management systems are made available to the client in a cloud infrastructure of the provider itself. In PaaS, resources such as data bases, platforms for application developers, and infrastructure for executing the clients’ own applications are provided. In IaaS, fundamental computer resources are provided (hardware, storage and network) in which clients can install software in general, including operational systems and applications.

Objetive of Information Gathering Survey Due to the increasing adoption of this technology, between October 2014 and February 2015, TCU

carried out a survey with the main objective of identifying the most relevant risks to Federal Public Administration (APF) when hiring cloud computing services.

To this end, the work addressed aspects ranging from cloud computing concepts and models, advantages of adopting the technology, service commercialization models, international norms and standards, and the Brazilian legal framework, to the current scenario of how the APF hires cloud computing services.

Main TCU conclusionsThe cloud computing model can bring serveral benefits, such as 1) reduction of costs for IT

infrastructure and services due to economies of scale; 2) optimization of IT team productivity, improving critical mission operations support; 3) greater availability of IT services and, consequently, better productivity of the final user; 4) resistance to attacks against availability of services; and 5) reduction of time to implement new services and a quicker innovation cycle. For the public administration, adoption of cloud computing also brings additional benefits, such as:

• greater agility in delivering and technological updating of public services; • increase of access and use of governmental information; • more agile support to big data and open data initiatives; and• answering to seasonal demand for internet services without having to allocate a large amount• of fixed IT resources, which are subutilized when there is little use.However, when the survey was carried out, initiatives involving the use of cloud computing services

were still an exception within the APF. In general, the managers were still cautious, especially because they were concerned about the risks to information security. There were also uncertainties regarding a stricter interpretation of Decree 8.135/2013 which says that the public administration should hire exclusively public IT companies to execute cloud computing services. Among the public companies that can deliver these services, Dataprev had not yet begun its commercialization and Serpro’s offer was limited.

Therefore, a likely retaining of projects of this nature, due to manager’s concerns and capacity constraints of public IT companies, could lead to not taking advantage of opportunities created by cloud computing. This new model, despite introducing certain risks such as those deriving from outsourcing from the sharing of resources, mitigates a series of other problems that are so common in Information Technology the area of IT, such as a lack of expansion capacity and delay in implementing environments or systems. There are risks regarding information security that have to be considered by the manager,

www.facebook.com/tcuoficial www.youtube.com/tcuoficial

www.tcu.gov.br

www.twitter.com/tcuoficial

Information Technology

but one must also consider that the protections based in clouds many times are more robust, scalable, efficient and inexpensive when compared to internal solutions, due to specialization of the providers and to economies of scale.

The organizations should analyze the existing risks and several economic and technical factors in order to justify the decision whether or not to hire cloud computing services, as well as to previously adjust contracts. Nevertheless, one can begin with applications that contain public and noncritical information, with a low risk to information security.

Main risks identified by TCUIn order to facilitate use by the manager – when planning how to hire – and by the auditor, a table

containing possible controls associated to the risks identified were created, as well as criteria references (standards and good practices).

The 43 risks identified were grouped in fifteen risk categories which were, in turn, grouped into four topics: “information security”, “governance and risk management”, “procurement and contract management”, and “IT infrastructure”.

With regard to risks inherent to the Federal Public Administration, we highlight the risks of nonconformity with Brazilian norms, such as DSIC/GSI/PR norms, Decree 8.135/2013 and Interministerial Ordinance 141/2014.

Furthermore, due to the transformation of capital expenditure into operating expenditure, there is a risk of exceeding the budget available because of consumption greater than expected. This could result in the interruption of services because of a lack of resources

Expected benefitsThis survey allowed identification of opportunities for external control performance in the area of

cloud computing. In addition, a table with risks and possible controls associated with cloud computing services procurement and also a reference matrix containing audit questions, procedures and possible findings were created, thus assisting TCU auditors in future oversight actions.

Thus, the information obtained and the risks identified will guide Public Administration Managers and will support future TCU work in the field of cloud computing, an innovative format for providing solutions and delivering IT services.

DecisionDecision 1.739/2015-TCU-Full CourtDate of session: 07/15/2015Reporter: Minister Benjamin ZymlerTC: 025.994/2014-0Technical unit in charge: Department of External Control of Information Technology (Secretaria

de Fiscalização de Tecnologia da Informação - Sefti), with the support of the Department of IT Infrastructure (Setic)